Presentation is loading. Please wait.

Presentation is loading. Please wait.

(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation.

Published byGilbert Briggs Modified over 9 years ago

Similar presentations

Presentation on theme: "(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation."— Presentation transcript:

1 (ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities Ten Practical Steps to Reducing Software-based Threats Dr Serdar Cabuk, CISSP Security Specialist, VISA Europe

2 Presentation Identifier.2 Information Classification as Needed 2 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Outline Motivation and scope Methodology –Plan (2) –Do (5) –Check (2) –Act (1) The way forward

3 Presentation Identifier.3 Information Classification as Needed 3 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Motivation Fact –You have an SDLC in place Reality –You don’t have a secure SDLC Strategic v Tactical Drivers –Budget –Time to market –Top down v Bottom up

4 Presentation Identifier.4 Information Classification as Needed 4 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Scope What it isn’t –Strategic –Certified / Methodical –Framework based –Long term What it is –Tactical –Customised / Hands on –Process based –Short term

5 Presentation Identifier.5 Information Classification as Needed 5 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Methodology PMM SALC SDLC SDLC+

6 Presentation Identifier.6 Information Classification as Needed 6 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 PLAN : Preparation Goal : Ensure readiness and support prior to process improvement Prerequisites Security policy Management buy in

7 Presentation Identifier.7 Information Classification as Needed 7 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 PLAN : Preparation 1.Segregate software assurance and development functions Assurance Development

8 Presentation Identifier.8 Information Classification as Needed 8 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 PLAN : Preparation 2.Engage with all functions including Information security –Compliance specialists and security architects Architecture –Solutions or technical architects Development –Analysts and lead developers Engineering –Infrastructure and network specialists Service owner and key stakeholders Project and programme management

9 Presentation Identifier.9 Information Classification as Needed 9 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition Goal : Improve software development by introducing targeted additions to the lifecycle Prerequisites Buy in from all teams involved

10 Presentation Identifier.10 Information Classification as Needed 10 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition 3.Perform initial threat assessment to drive the high level design Input Requirements Output Improved high level design Tasks and RolesSecurityArchitectPM Information gatheringRCA Security requirements analysisRACI High level secure designSRAI Reporting and communicationRIA

11 Presentation Identifier.11 Information Classification as Needed 11 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition 4.Perform application threat modelling to identify software- based threats Input Requirements and initial design Output Application threat model Tasks and RolesSecurityArchitectDeveloperPM Information gathering and planningRCCA Application decompositionCRSAI Application threat analysisRASCI Scoring and countermeasuresRSAII Reporting and communicationRCIA

12 Presentation Identifier.12 Information Classification as Needed 12 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition 5.Perform secure design reviews to ensure secure software architecture Input High level design and application threat model Output Application level design Tasks and RolesSecurityArchitectPM Information gatheringRCA Security requirements revisitedRSAI Deployment and infrastructure analysisRSAI Application component analysisRSAI Reporting and communicationRCA

13 Presentation Identifier.13 Information Classification as Needed 13 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition 6.Perform source code analysis (SCA) to identify and address code level vulnerabilities Input Application software and SCA tool Output Improved application software Tasks and RolesSecurityDeveloperPM Information gatheringRCA Source code analysisRACI Review and scoringRASI Code improvementSRAI Reporting and communicationRCA

14 Presentation Identifier.14 Information Classification as Needed 14 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 DO : Transition 7.Employ secure coding principles to reduce software based threats and improve code quality Input Coding standards Output Improved application software Tasks and RolesSecurityDeveloper Information gatheringRC Standards establishmentRA Standards applicationAR

15 Presentation Identifier.15 Information Classification as Needed 15 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 CHECK : Embedding Goal : Ensure process implementation and establish security standard Prerequisites Documented process and templates

16 Presentation Identifier.16 Information Classification as Needed 16 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 CHECK : Embedding 8.Ensure process embedding through SDLC workshops and documentation 9.Establish security standards and raise awareness through security events and training

17 Presentation Identifier.17 Information Classification as Needed 17 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 ACT : Alignment Goal : Continuous capability maturity improvement using an industry standard framework 10. Introduce an industry standard ISMS framework and align it with the secure SDLC

18 Presentation Identifier.18 Information Classification as Needed 18 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Summary 1.Segregate software assurance and development functions 2.Engage with all functions including information security, architecture, development, engineering and project management 3.Perform initial threat assessment to drive the high level design 4.Perform application threat modelling to identify software- based threats 5.Perform secure design reviews to ensure secure software architecture

19 Presentation Identifier.19 Information Classification as Needed 19 Ten Practical Steps to Reducing Software-based Threats | 28 July 2009 Summary 6.Perform source code analysis (SCA) to identify and address code level vulnerabilities 7.Employ secure coding principles to reduce software based threats and improve code quality 8.Ensure process embedding through SDLC workshops and documentation 9.Establish security standards and raise awareness through security events and training 10.Introduce an industry standard process framework and align it with the secure SDLC

20 (ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation of an offer to purchase, any securities Thank you

Download ppt "(ISC)2 SecureLondon 2009, London, United Kingdom This information is not intended, and should not be construed, as an offer to sell, or as a solicitation."

Similar presentations

Draft Change Management Strategy Framework and Toolkit An Overview TAU Workshop: Vulindlela Academy (DBSA) 12 April 2012 Presenter: Dr Patrick Sokhela.

Draft Change Management Strategy Framework and Toolkit An Overview TAU Workshop: Vulindlela Academy (DBSA) 12 April 2012 Presenter: Dr Patrick Sokhela.
PhoenixPro Procurement. technology. contracts. projects.

PhoenixPro Procurement. technology. contracts. projects.
Program Management Office (PMO) Design

Program Management Office (PMO) Design
<<replace with Customer Logo>>

<<replace with Customer Logo>>
Security and Personnel

Security and Personnel
Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.

Achieving (and Maintaining) Compliance With Secure Software Development Compliance Requirements (ISC)² SecureSDLC May 17, 2012.
Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)

Sixth Hour Lecture 10:30 – 11:20 am, September 9 Framework for a Software Management Process – Artifacts of the Process (Part II, Chapter 6 of Royce’ book)
Acquiring Information Systems and Applications

Acquiring Information Systems and Applications
A Presentation for the Enterprise Architect © 2008 IBM Corporation IBM Technology Day - SOA SOA Governance Miroslav Petrek IT Software Architect

A Presentation for the Enterprise Architect © 2008 IBM Corporation IBM Technology Day - SOA SOA Governance Miroslav Petrek IT Software Architect
Security Controls – What Works

Security Controls – What Works
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
ISS IT Assessment Framework

ISS IT Assessment Framework
The Transforming Power of the ITIL Framework for the Project Manager Patrick von Schlag Deep Creek Center November 10, 2010.

The Transforming Power of the ITIL Framework for the Project Manager Patrick von Schlag Deep Creek Center November 10, 2010.
Viewpoint Consulting – Committed to your success.

Viewpoint Consulting – Committed to your success.
CATEGORIES OF INFORMATION There are three main categories of business information,and these are related to the purpose for which the information is utilized.

CATEGORIES OF INFORMATION There are three main categories of business information,and these are related to the purpose for which the information is utilized.
Pertemuan 11-12 Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.

Pertemuan Matakuliah: A0214/Audit Sistem Informasi Tahun: 2007.
1.

1.
Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.

Security Offering. Cyber Security Solutions 2 Assessment Analysis & Planning Design & Architecture Development & Implementation O&M Critical Infrastructure.
Business Transformation Health Check

Business Transformation Health Check
Software Engineering Institute Capability Maturity Model (CMM)

Software Engineering Institute Capability Maturity Model (CMM)

Similar presentations

Ads by Google